After moving my WP to my rejuvenated and software-RAIDed web server, I ran into what is apparently — owing to the googlejuice — a fairly common problem. WordPress would simply not connect to the MySQL database I have on a separate machine inside my firewall. I checked all the configuration files, even connected using the CLI client, but no dice. Then of course I fell back on the standard setenforce 0 test, which showed SELinux to be the culprit.
I haven’t done a lot of work with SELinux, but I have from time to time used system-config-securitylevel, which is a nice, simple tool for people like me who don’t have a lot of free time to learn the ins and outs of policy tuning. However, this particular server doesn’t have the graphical s-c-sl installed, nor any GUI for that matter. (The TUI version has no SELinux tuning interface.) Thankfully, smooge helped me out by reminding me about setsebool, and in particular the boolean I needed:
setsebool -P httpd_can_network_connect_db=true
I hate that so many people “solve” this problem by turning off SELinux, since it’s just so goldurned useful.
Just want to comment that I’ve had similar experience.
After seeing the database connect failure if you had chosen to read /var/log/messages* you would have seen the tell-tale AVC denied messages that shows SELinux at work. The log can be further processed by audit2why.
Personally I find reading log files to be the most useful way for debugging system service problems.
The fedora SELinux developers should really write a short trouble shooting tutorial that ships with the distribution instead of just putting information in the fedoraproject Wiki.
* /var/log/audit/audit.log if you have audit installed
Actually, that\’s exactly how I found the problem once I had done setenforce 0 — by turning on the auditd service and then reading the audit.log. I grabbed the AVC message and pasted it so I had an idea of the source and target contexts involved, but rather than spend a lot of valuable time hunting down the particular boolean, lazyweb saved me. (Or in this case, lazyIRC.)
You should file your suggestion as a bug for Fedora Documentation, maybe against the selinux-faq.